read more
Screenata

AI compliance officer · SOC 2 · HIPAA

Get SOC 2 done, with an agent.

Vera scans your infrastructure, writes the policies, and collects the evidence — auditor-ready in weeks, before your enterprise deal stalls. $499/month replaces the $60–180K compliance stack.

See the product
https://app.screenata.com/chat
ScreenataNew thread
Screenata

Let's get you audit-ready, Sarah

How can I help you today?

Evidence

70%

Collected automatically

Providers

60+

Native integrations

Checks

500+

Automated evidence checks

Founder effort

<10 hrs

Not 80+ hours

Scans the systems you already run

AWSAWSGoogle CloudGoogle CloudAzureAzureCloudflareCloudflareGitHubGitHubGitLabGitLabOktaOktaAuth0Auth0Google WorkspaceGoogle Workspace1Password1PasswordDatadogDatadogCrowdStrikeCrowdStrikeSentrySentryWizWizTailscaleTailscaleSlackSlackJiraJiraLinearLinearNotionNotionStripeStripeAWSAWSGoogle CloudGoogle CloudAzureAzureCloudflareCloudflareGitHubGitHubGitLabGitLabOktaOktaAuth0Auth0Google WorkspaceGoogle Workspace1Password1PasswordDatadogDatadogCrowdStrikeCrowdStrikeSentrySentryWizWizTailscaleTailscaleSlackSlackJiraJiraLinearLinearNotionNotionStripeStripe
( 01 / 04 )

Scan first. Then write what you can prove.

Vera assembles structured context from GitHub, AWS or GCP, your IdP, and existing evidence before a single policy is written. The overpromise checker flags hard commitments unsupported by what she found — before your auditor does.

  • Policies grounded in real IAM policies, branch protection, and MFA settings
  • Overpromise detection — the #1 audit failure mode, caught at draft time
  • All 8 SOC 2 Type I deliverables, right-sized for a 5–50 person team
How policies are generated
Access Control Policy · draft
2 flagged

Acme Corp enforces multi-factor authentication through Okta for all administrative access to production systems. verified

Production access is reviewed quarterly by the security team to remove stale entitlements. overpromise

Vera flagged this claim

No quarterly access review evidence found in the last 12 months across Okta and GitHub. Soften to "periodic reviews as needed", or commit to quarterly and let me schedule them.

Soften languageSchedule quarterly review
( 02 / 04 )

Evidence that collects itself.

70% of evidence is collected automatically across 60+ providers and 500+ checks. Vera posts a readiness briefing in Slack at 6:30 AM, delegates the rest by DM, and ingests files dropped right back at her — zero dashboard uploads.

  • Daily freshness checks: fresh → stale at 90d → expired at 120d
  • Forward an email or drop a file in Slack — auto-classified and linked to the right control
  • Quarterly access reviews run as scheduled agent operations
A day of autonomous work
Slack — Acme Corp

compliance

8 members · pinned: SOC 2 program

Today
Screenata
ScreenataAPP6:30 AM

Daily compliance briefing · Mon Apr 28

  • Readiness 84% (+12 vs last week)
  • 1 blocker: CC6.1 — Okta access review evidence stale (92d)
  • 2 warnings: CloudTrail Q2 export missing, S3 encryption check needs re-run
  • Next: ask @priya for the access review export
Screenata
ScreenataAPP9:04 AM

Weekly cloud scan · 500 checks

  • 499 passed · 1 new finding
  • S3 bucket logs-archive missing default encryption
  • Drafted remediation ticket — needs your approval to apply.
Reply to #compliance
( 03 / 04 )

One sentence. One claim. One test. One signed artifact.

Vanta and Drata link evidence to controls — that's it. Screenata links a specific sentence in a policy to a testable claim, to the control test that verifies it, to a cryptographically signed artifact your auditor can verify outside Screenata.

  • Per-file SHA-256 manifests, RSA/ECDSA signatures, RFC 3161 timestamps
  • Bring your own signing key — platform, customer key, or cloud KMS
  • Open Evidence Spec with a free verify CLI
The trust architecture

Policy sentence

Administrative access requires MFA through Okta.

Access Control Policy / §3.2

extracts a testable claim

Policy claim

MFA enforced for admin accounts

CC6.1 · IA-2 · IMPLEMENTED

verified by a control test

Control test

Okta MFA policy verification

Native API check · 24h freshness

produces a signed artifact

Evidence artifact

Signed Okta API response

SHA-256 + RFC 3161 timestamp

SHA-256RFC 3161verify outside Screenata
( 04 / 04 )

Compliance in the terminal, the PR, and Claude Code.

The enterprise API, screenata CLI, GitHub App, and MCP server are one architecture. Every tool hits the same API. Compliance-as-code, not yet another tab.

  • PR compliance reviews — auto-comments when changes touch controls
  • MCP server for Claude Code, Cursor, and Windsurf
  • screenata audit check returns exit 0/1 — wire it into CI
Developer surfaces
~/code/acme — screenata

$

What auditors need first

“Until we have all the policies in place, the risk assessment completed, system description completed, a timestamped network diagram, a vulnerability scan report — we wouldn’t be able to begin with control testing.”

SOC 2 auditor

Screenata delivers all 8 Type I artifacts — policies, risk assessment, system description, network diagram, org chart, control matrix, vulnerability review, oversight minutes — in 4–6 weeks.

Security

Verifiable trust for your data — and your auditor.

Two recent collapses broke trust in AI compliance. We answer with architecture, not adjectives: where credentials live, how evidence is signed, what Vera is allowed to do.

Credentials never touch our database

Cloud provider keys live in Azure Key Vault, retrieved at scan time, never cached or logged.

Read-only by construction

No write scopes on your repos or cloud. Source code is scanned in memory and never persisted.

Evidence you can verify yourself

RSA/ECDSA signatures, RFC 3161 timestamps, SHA-256 manifests, BYOK. Open spec + free verify CLI.

Read the security architecture

Pricing

$499/month replaces the $60–180K stack.

The honest comparison is auditor + vCISO + GRC platform. The auditor stays independent — we replace the orchestration layer driving most of the cost.
See pricing
Six-month path to audit
Traditional
Screenata
Auditor
$15K
$15K
vCISO / consultant (6 months)
$60K
$0
GRC platform
$10K
$3K
Prep time
6 months
4–6 wks
Total
$85K+
$18K

FAQ

The questions technical founders ask first.

Concrete architecture, real workflows, and proof over category claims.
What makes Screenata different from Vanta or Drata?

Vanta and Drata are dashboards a human compliance person works inside. Screenata is the compliance person. Vera scans your infrastructure, writes policies from what's real, collects evidence, runs scheduled checks at 6 AM, and delivers everything through Slack, email, GitHub, and your terminal. The dashboard exists for auditors and deep dives — the daily work happens where you already are.

Does Vera actually do work without someone clicking buttons?

Yes. Daily 6:00 AM evidence freshness checks, daily 6:15 AM readiness snapshots, weekly Monday cloud and code scans, quarterly access reviews, and annual risk refreshes all run on scheduled jobs. Vera flags stale evidence, drafts delegation messages, scopes remediation, and posts agent reports. You approve actions; you don't run them.

How are policies generated?

Screenata scans first, then writes. We pull context from GitHub, AWS or GCP, your IdP, existing evidence, and your company profile, then generate policies grounded in what we found. The overpromise checker flags hard commitments (like 'quarterly access reviews') we cannot verify in evidence, before you ever ship them to an auditor.

Can auditors trace claims back to proof?

Yes. Each claim in a policy is anchored to a specific sentence and linked to the control test that verifies it. Each test has its evidence submissions, and each submission references a cryptographically signed artifact. An auditor can hover any claim in a policy, see the test that proves it, and verify the evidence package independently with a signed manifest.

What happens to evidence packages?

Evidence exports are tamper-evident: SHA-256 per-file hashes, RSA or ECDSA digital signatures, RFC 3161 independent timestamps, and BYOK support so enterprises can sign with their own keys. We're publishing the format as an open spec with a free verify CLI so anyone can check a Screenata pack without an account.

Can I use Screenata in Slack?

Yes — Slack is a first-class surface, not a notification channel. Vera posts daily readiness briefings in your #compliance channel at 6:30 AM, DMs teammates for evidence with step-by-step instructions, and accepts file drops directly in Slack — auto-classifying, signing, and routing them to the right control. Slash commands and approval blocks are built in. The dashboard exists for auditors and deep dives; daily compliance work happens where your team already talks.

Is the evidence Vera produces auditor-ready?

Yes. Every artifact is mapped to specific Trust Services Criteria or HIPAA safeguards, signed with SHA-256 + RFC 3161 timestamps, and traceable from policy claim → control test → submission → vault artifact. Auditors get a structured pack — not a folder of screenshots — and can verify integrity independently with a free CLI. We design the output for what auditors actually look for in fieldwork: completeness, attribution, freshness, and tamper evidence.

Which frameworks do you support?

SOC 2 and HIPAA today, with more on the way. Our control model uses a shared canonical catalog so a single MFA scan satisfies SOC 2 CC6.1 and HIPAA §164.312(d) at the same time — and the same scan will map to ISO 27001 and other frameworks as we add them. You collect evidence once instead of paying for each framework separately.

Connect and see

See what your SOC 2 looks like with your real systems.

Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, stale evidence, and prioritized next actions before you commit to anything.

See the product